Coming Soon

Cloudflare integration

Q: Is the Cloudflare integration available now?

Not yet — it's in active development. Add your email below and we'll notify you the moment it ships.

Q: Does FortWatch need write access to my Cloudflare account?

No. The integration is read-only by design. It uses a scoped Cloudflare API token limited to reading DNS, SSL/certificate, and zone settings — it never modifies your records, WAF rules, or configuration.

Q: Do I need Cloudflare to use FortWatch?

No. FortWatch scans your external attack surface regardless of who hosts it, and already detects Cloudflare automatically from response headers. The integration simply adds inside-out reconciliation for teams that do use Cloudflare, so config and reality can be compared directly.

Cloud Providers

Cloudflare sits in front of most of the internet's web traffic as a DNS provider, CDN, WAF, and SSL/TLS terminator — which makes it both a powerful shield and a single place where misconfigurations quietly create exposure. The FortWatch Cloudflare integration (currently in development) will connect to your Cloudflare account read-only to pull your DNS, SSL/TLS, and security settings, then cross-check them against what FortWatch actually observes from the outside. The result is a single picture of whether the edge you think you have matches the attack surface attackers can see.

Get notified All integrations

New alert in Cloudflare

Criticaljust now

Exposed Redis on 203.0.113.10:6379

Unauthenticated database reachable from the internet.

View finding & step-by-step fix →

Delivered in < 1 minute

How it works

Cloudflare + FortWatch

FortWatch will connect to Cloudflare through a scoped, read-only API token (Cloudflare's standard token model lets you grant Zone.DNS, Zone.SSL and Certificates, and Zone.Settings read access — nothing more). Once connected, FortWatch periodically reads each zone's DNS records, SSL/TLS encryption mode, certificate state, and security settings, and reconciles them with its own external scans. Because FortWatch already fingerprints Cloudflare from response headers (cf-ray, server: cloudflare), it knows which of your assets are proxied through the edge versus exposed directly — so it can correlate, for example, a DNS A record in Cloudflare against an origin IP it found reachable on the open internet. Where Cloudflare supports it, FortWatch will subscribe to Notification webhooks so changes to certificates or security settings surface in your FortWatch timeline rather than waiting for the next scan.

FortWatch scans

Eleven scanners watch your external attack surface around the clock — ports, certs, DNS, cloud buckets, exposed files and more.

AI triages the finding

Each issue is scored by real-world impact and packaged with the affected asset and a one-line explanation of the risk.

Delivered to Cloudflare

The finding lands in Cloudflare, routed by severity — so the right people see the right alert, fast.

Capabilities

What you'll be able to do

Everything the Cloudflare integration will bring to your security workflow.

Origin exposure detection

FortWatch flags when an origin server behind Cloudflare is also directly reachable by IP, letting attackers bypass the WAF, DDoS protection, and rate limiting entirely.

DNS hygiene reconciliation

compare Cloudflare DNS records against FortWatch's DNS scanner to catch dangling CNAMEs, records pointing at deprovisioned assets (subdomain takeover risk), and missing or weak SPF/DKIM/DMARC/DNSSEC.

SSL/TLS mode verification

surface zones set to 'Flexible' or 'Off' encryption mode where traffic between Cloudflare and your origin travels unencrypted, and reconcile certificate expiry with what FortWatch sees on the wire.

Proxy-status awareness

identify DNS records that are grey-clouded (DNS-only, not proxied) and therefore expose the real origin and any open ports on it.

Unproxied asset discovery

catch subdomains and services that live outside Cloudflare's coverage and never gained WAF, SSL, or DDoS protection in the first place.

Change visibility

get notified when a certificate, DNS record, or security setting changes in Cloudflare, with FortWatch confirming the externally observed effect of that change.

In practice

What an alert looks like

Every finding arrives formatted for Cloudflare — severity up front, the affected asset, and a one-line explanation of why it matters, with a link straight to the step-by-step fix.

Severity-tagged and color-coded
The exact asset and port affected
One click to the full finding & remediation

Cloudflare

FortWatch Finding · Cloudflare zone: example.com\n\n🔴 Critical — Origin reachable directly, bypassing Cloudflare\nDNS A record api.example.com is proxied through Cloudflare, but FortWatch reached the origin host 198.51.100.42 directly on port 443. Requests sent straight to the IP skip the WAF, rate limiting, and DDoS protection your zone relies on.\n\nObserved origin: 198.51.100.42:443\nProxy status (Cloudflare): Proxied (orange-cloud)\nExternally observed: Direct IP responds with the same TLS cert\nDetected: 2026-06-07 14:22 UTC\n→ Restrict origin to Cloudflare IP ranges (firewall / Authenticated Origin Pulls) and review finding evidence in FortWatch

Setup

Set it up in minutes, once it lands

No agents, no infrastructure changes — just connect Cloudflare and choose where alerts go.

When it launches, open Settings → Integrations in FortWatch and choose Cloudflare.

In your Cloudflare dashboard, create a scoped API token with read-only access to Zone.DNS, Zone.SSL and Certificates, and Zone.Settings for the zones you want monitored.

Paste the token into FortWatch and select which Cloudflare zones to connect.

Run an initial reconciliation so FortWatch can match your Cloudflare DNS, SSL, and security config against its external scans.

Optionally enable Cloudflare Notification webhooks so certificate and configuration changes appear in your FortWatch timeline in near real time.

Why route FortWatch into Cloudflare?

Cloudflare is only protecting you for the traffic that actually goes through it — an origin that's reachable by IP, a grey-clouded subdomain, or a zone left on Flexible SSL all create exposure the dashboard won't show you. By reconciling Cloudflare's configuration with what FortWatch sees from the outside, you find the gaps between your intended edge and your real attack surface before an attacker does. That outside-in verification is exactly what a WAF dashboard can't give you on its own.

FAQ

Frequently asked questions

Is the Cloudflare integration available now?

Not yet — it's in active development. Add your email below and we'll notify you the moment it ships.

Does FortWatch need write access to my Cloudflare account?

No. The integration is read-only by design. It uses a scoped Cloudflare API token limited to reading DNS, SSL/certificate, and zone settings — it never modifies your records, WAF rules, or configuration.

Do I need Cloudflare to use FortWatch?

No. FortWatch scans your external attack surface regardless of who hosts it, and already detects Cloudflare automatically from response headers. The integration simply adds inside-out reconciliation for teams that do use Cloudflare, so config and reality can be compared directly.